Obama's Executive Order Renews Cybersecurity Debate

President Obama's decision to issue an executive order boosting U.S. cybersecurity has placed the issue back on the national agenda following last year's failed legislative attempts. The order is very process-oriented, and groups are weighing in on whether it will be able to achieve its goal: better protection of the country's infrastructure.

Too much regulation, not enough protection, too much private sector involvement: President Obama's just-released cybersecurity executive order has sparked concern from several advocacy groups, even as controversial legislation designed to protect the nation's infrastructure made a reappearance Wednesday in Congress.

The U.S. Chamber of Commerce opposed the order. It argued that instituting new regulation is unnecessary.

Meanwhile, the Constitution Project says the order poses "far fewer threats" to Americans' privacy rights than the Cyber Intelligence Sharing and Protection Act (CISPA), which was reintroduced in the U.S. House of Representatives Wednesday after having been withdrawn last year in the face of strenuous opposition.

The Information Technology and Innovation Foundation (ITIF) is among the organizations that contend Congress should pass a cybersecurity law anyway, because adhering to the executive order might expose companies to lawsuits over civil liberties and privacy.

Security researchers NSS Labs argued that product vendors shouldn't be involved as suggested by the order, and added it doesn't do enough to protect U.S. critical infrastructure.

What's in the Executive Order?

The executive order defines what constitutes the nation's critical infrastructure, and states that policy coordination, guidance, dispute resolution and in-progress reviews will be provided through an interagency process.

The U.S. National Institute of Standards and Technology (NIST) will lead the development of a cybersecurity framework to reduce risks to critical infrastructure. The framework will incorporate voluntary standards and, where they fit, voluntary international standards.

That framework will provide measurable and cost-effective ways to protect the country's cyberassets, while lessening its impact on business confidentiality, individual privacy and civil liberties.

A preliminary version of the cybersecurity framework must be published within 240 days, and a final version within one year. Adoption of the framework by the private sector will be voluntary.

The order directs agencies to incorporate protection for privacy and civil liberties into their activities based on the Fair Information Practice Principles, and other policies covering privacy and civil liberties. Agencies will be assessed on this.

Information submitted voluntarily to the federal government by private entities will be protected from disclosure.

The U.S. Attorney General, the Secretary of Homeland Security and the Director of National Intelligence have 120 days to issue instructions on how to produce timely, unclassified reports of cyberthreats that identify a specific targeted U.S. entity. They also have to set up a process to track the production, dissemination and disposition of these reports.

The Secretaries of Homeland Security and Defense have 120 days to establish procedures to expand the Enhanced Cybersecurity Services program; this provides classified cyberthreat and technical information to companies in all critical infrastructure sectors or their security service providers.

The government will expand programs that temporarily bring private sector subject matter experts into federal service as consultants.

Reaction to the EO

"This is code for 'If we know we are being attacked, we will have to do something about it,'" Vikram Phatak, CEO of
NSS Labs, told TechNewsWorld.

Executive action is unnecessary, said Ann Beauchesne, vice president of National Security and Emergency Preparedness at the
U.S. Chamber of Commerce. "If the proposed cybersecurity program is to counter major threats to U.S. security," Beauschesne told TechNewsWorld, "it needs to operate in a manner that is fast, flexible and innovative, just like our adversaries."

The executive order didn't contain any big surprises, said Daniel Castro, senior analyst at the
Information Technology and Innovation Foundation. Castro, however, did weigh in on how the inclusion of private sector security experts could be a point of contention.

Such experts "are always included in these proposals because they manage the majority of critical infrastructure and they have much of the subject-matter expertise," Castro told TechNewsWorld.

However, including the private sector "is like asking the fox to help design chicken coops," Phatak suggested. "Product vendors should not have a seat at the table."

Obama administration officials indicated at a Wednesday morning briefing that they intend to move forward quickly with implementing the executive order, "even with the reintroduction of CISPA and the anticipated reintroduction of cybersecurity legislation in the Senate," Larry Akey, spokesperson for
The Constitution Project, told TechNewsWorld.

"The administration has consistently maintained that legislation would be necessary to accomplish the full scope of what it wants to achieve," Akey said.